Making business trips simple, seamless and aligned to travelers’ preferences requires data. And that data—linked to people, companies and transactions—must be protected. BCD Travel’s Executive Vice President of Technology, Products & Innovation Russell Howell and Chief Information Security Officer Sherron Burgess explain how the travel management company safeguards data streaming through every corporate trip.
What defines BCD Travel’s commitment to data security?
HOWELL: Investment. BCD’s data security team has grown significantly over the last decade. That reflects the changing landscape of technological changes and risks, but it also reflects our global leadership team’s willingness to invest resources in what’s important to our clients and the success of our company.
How do you manage data security amid so much change?
BURGESS: We are strategic, consistent and methodical. We know our rationale—we understand why we’re taking action or making an investment.
What does being ‘strategic, consistent and methodical’ look like?
BURGESS: Our data security strategy follows four tenets: The first is prioritization, which means we invest resources in areas likely to have the greatest positive impact on our business direction and needs. We are data people, so we use a prioritization metric to calculate the potential impact. Second, we do the basics well. That means we approach policies, compliance, training and technological controls in a consistent way time after time.
Our third tenet is what we call ‘smart enhancement.’ We use findings from our regular and comprehensive audits to guide where we need to improve. Finally, our fourth tenet is to manage potential threats by focusing on governance, risk and compliance [GRC], a structured approach that aligns information technology with business goals to mitigate risk.
HOWELL: We use our four-tenet methodology to help customers assess their technology and data security priorities, too. When we see risks trending in particular markets, we share that information with clients and explain why they may want to beef up their protections.
How do ISO certifications and audits factor into your approach to data security?
HOWELL: We use independent auditors and assessors to validate that we are using best practices and continually improving. We meet ongoing standards. These are not point-in-time assessments.
What are some of BCD’s key audits and certifications?
BURGESS: ISO 27001:2013 Information Security Management System [ISMS] certification demonstrates that BCD follows information security best practices. Our data centers are ISO 9001:2008 and ISO 27001:2013 certified for security, redundancy and disaster recovery controls.
The SSAE18 SOC 1 Type 2 Audit primarily applies to our U.S. financial operations, but it covers information security as part of control activities.
Our Payment Card Industry Data Security Standard [PCI DSS] certificate validates that we have complied with requirements for protecting cardholder data and includes vulnerability scans of our networks. ISO 14001:2015 Environmental Management System [EMS] validates progress on our sustainability commitments.
ISO 9001:2008 Quality Management System [QMS] certifies that BCD has some of the highest-quality data in the industry. The certification covers bookings and reservations, as well as the customer data we collect, including from third parties. We have a proprietary, standalone Global Data Quality Tool that does a check on all data coming in before it goes to the database. If the data does not pass quality standards set by ourselves and our clients, it gets sent back to the data provider to correct. Our quality control ensures we input clean data so reliable reports come out the other side.
Why is data quality so important to BCD and your clients?
HOWELL: Our value proposition is rooted in innovation, partnership and simplicity. Data is essential to delivering on all of these commitments to clients. Our customers rely on the data we provide to make crucial business decisions, so it has to be of the highest quality. It must produce reliable insights that our clients can act on with confidence. Our commitment to data quality is reflected in the ISO:9001 certification of our data quality processes. It’s our understanding that we are the only TMC to have attained this.
Has the European Union’s General Data Protection Regulation (GDPR) changed BCD’s approach to data security and individual privacy?
BURGESS: Privacy is a big challenge, but it’s not a new one. We are a European-owned company, and strict privacy laws have shaped our data security standards for years. GDPR is just another evolution of that.
What are the biggest data security challenges facing the business travel industry today?
HOWELL: Social engineering, where fraudsters use confidence schemes—even low-tech ones—to gain information, is a problem for all TMCs and corporate travel programs. Bad guys target travel because we have a lot of processes and our operations are complex. That’s why we are so dedicated to consistency and methodology. When you have a set way of doing things, it’s much easier to spot inconsistencies and outliers.